Registering with ICO

Under current rules, most organisations that act as a Data Controller, i.e. process any personal information about individuals, need to register with the ICO and pay a notification fee of £35 or £500 (depending on the organisation’s size) unless they are exempt.

Some churches may be exempt if they process only the following data:

Church membership list (where church members have provided their own details)

Gift Aid information

Payroll and Accounting records

If you gather or store any personal data which is not on this very limited list, you should be registered with the ICO. This includes any pastoral notes and any communications to or from church members which mention personal information, as well as any fundraising requests. In real terms, very few churches will find themselves exempt.

It is also important to note that exemption from registration and the fee does not mean exemption from complying with Data Protection Legislation. You are still expected to comply with the current legislation and that will not change under GDPR.

If you are not sure whether or not you should currently be registered, you can use the ICO’s own self-assessment tool.

If you do need to register with the ICO, you can currently do so here:

How will this change under GDPR?

From May 25th 2018, organisations will no longer be required to register with the ICO as Data Controllers. However, all organisations acting as Data Controllers will still be required to pay an annual fee. The new fee structure will come into effect on the 1st of April 2018 and will be as follows:

Fee of up to £55: Smaller organisations with a staff headcount of under 250, an annual turnover of under £50M, and which process fewer than 10,000 records.

Fee of up to £80: Smaller organisations with a staff headcount of under 250, an annual turnover of under £50M, and which process more than 10,000 records.

Fee of up to £1000: Larger organisations with a staff headcount of over 250 and an annual turnover of over £50M.

Direct Marketing Top-Up of up to £20 for any organisation, regardless of size or turnover, which carries out electronic marketing activities. You can read more about fundraising under GDPR here

We already registered and have already paid the fee. Will we need to pay again?

The current ICO advice is that you will not need to pay the new fee until the full year has run out from the time you last paid.

We are currently exempt from the fee. Will this change under GDPR?

The official guidance around exemptions under GDPR is still in development, but the ICO does not currently anticipate any significant change. However, you should think very carefully about whether or not you truly meet the criteria for exemption. If you gather, hold or use any personal data at all outside of church membership and financial records, you will not be exempt from paying the appropriate fee.